APIs are the real perimeter for SaaS. Zero trust means verify every call, assume breach, and make abuse expensive.
TL;DR
Short-lived tokens, scoped OAuth, mutual TLS for service-to-service, rate limits per tenant, and structured audit logs are the baseline - not optional extras.
What is the smallest hardening set for a new API?
Authentication, authorization (RBAC or ABAC), input validation, idempotency keys on writes, and consistent error shapes. Add request signing for partner integrations that cannot use OAuth.
How do we detect credential stuffing early?
Track failed auth velocity per IP and per user, alert on impossible travel for admin tokens, and automatically rotate webhooks when leak signals appear. Pair logs with a SIEM or managed detections as you scale.
Building a B2B product and need a security-minded integration layer? Our custom software team ships APIs with these defaults.